virtio_ring: secure handling of mapping errors

We should not depend on the DMA address, length and flag of descriptor table since they could be wrote with arbitrary value by the device. So this patch switches to use the stored one in desc_extra. Note that the indirect descriptors are fine since they are read-only streaming mappings. Signed-off-by: Jason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210604055350.58753-5-jasowang@redhat.comSigned-off-by: Michael S. Tsirkin <mst@redhat.com>

virtio_ring: secure handling of mapping errors
We should not depend on the DMA address, length and flag of descriptor table since they could be wrote with arbitrary value by the device. So this patch switches to use the stored one in desc_extra. Note that the indirect descriptors are fine since they are read-only streaming mappings. Signed-off-by: Jason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210604055350.58753-5-jasowang@redhat.comSigned-off-by: Michael S. Tsirkin <mst@redhat.com>
44593865 · Jason Wang · Michael S. Tsirkin · 5a222421 · 44593865
Commit 44593865 authored Jun 04, 2021 by Jason Wang Committed by Michael S. Tsirkin Jul 08, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

drivers/virtio/virtio_ring.c drivers/virtio/virtio_ring.c +4 -1

No files found.
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -1219,13 +1219,16 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq,
 unmap_release:
 	err_idx = i;
 	i = head;
+	curr = vq->free_head;

 	vq->packed.avail_used_flags = avail_used_flags;

 	for (n = 0; n < total_sg; n++) {
 		if (i == err_idx)
 			break;
-		vring_unmap_desc_packed(vq, &desc[i]);
+		vring_unmap_state_packed(vq,
+					 &vq->packed.desc_extra[curr]);
+		curr = vq->packed.desc_extra[curr].next;
 		i++;
 		if (i >= vq->packed.vring.num)
 			i = 0;